Global Data and Cyber Handbook

Germany

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 17 December 2024

Yes.

The following are potential legal bases for processing personal data:

  • the data subject has provided consent to the processing for the identified purposes
  • the personal data is necessary to perform a contract with the data subject
  • the personal data is necessary to comply with a legal obligation
  • the personal data is necessary to protect the vital interests of a natural person
  • the personal data is necessary for a public interest
  • the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)
  • other:

Please see below regarding personal data or sensitive personal data in the employment context.

Private bodies are permitted to process personal data for a purpose other than the one for which the data were collected pursuant to Sec. 24 para. 1 Federal Data Protection Act, if:

  • processing is necessary to prevent threats to state or public security or to prosecute criminal offences; or
  • processing is necessary for the establishment, exercise or defense of legal claims;

unless the data subject has an overriding interest in not having the data processed.

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 17 December 2024

Yes.

The following are potential legal bases for processing special categories of personal data:

  • the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions
  • processing relates to personal data which are manifestly made public by the data subject
  • processing is necessary for the establishment, exercise or defense of legal claims
  • processing is necessary for reasons of substantial public interest
  • processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • processing is necessary for reasons of public interest in the area of public health
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • other:

For private bodies, the processing of special categories of personal data is permitted pursuant to Sec. 22 para. 1 German Federal Data Protection Act, if:

  • processing is necessary to exercise the rights derived from the right of social security and social protection and to meet the related obligations
  • processing is necessary for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to the data subject's contract with a health professional and if these data are processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision, or
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
  • processing is urgently necessary for reasons of substantial public interest;

For private bodies the processing of special categories of personal data for a purpose other than the one for which the data were collected shall be permitted, if:

  • processing is necessary to prevent threats to state or public security or to prosecute criminal offences, or
  • processing is necessary for the establishment, exercise or defense of legal claims,

unless the data subject has an overriding legitimate interest in not having the data processed and an exception pursuant to Art. 9 para. 2 GDPR or pursuant to Sec. 22 Federal Data Protection Act applies.

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 17 December 2024

Yes.

  • With regard to the legal basis “performance of a contract”: According to guidance from the EDPB, in order to be able to rely on Art. 6 (1) b) GDPR a valid conclusion of the agreement is required. Under German contract law a natural person
    1. must generally be 18 years old to give a valid declaration of intent required to enter into a valid agreement.
    2. who is a minor under the age of 18 years but has reached the age of 7 years can only give a declaration of intent required to enter into a valid agreement with the consent of their legal representative, unless the minor receives merely a legal benefit.
    3. younger than 7 years is incapable of contracting.
  • With regard to the legal basis “legitimate interests”: Art. 6 (1) f) GDPR explicitly mentions “in particular where the data subject is a child”, and recital 38 GDPR states: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
  • To the extent the processing is based on “consent” and the processing is related to the offer of information society services directly to a child: Art. 8 GDPR stipulates that the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing of personal data is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

Other laws also contain specific requirements concerning the processing of personal data of minors, e.g. the Digital Services Act and the Telecommunication Digital Services Data Protection Act.

In what circumstances do these special requirements apply?

Last review date: 17 December 2024

  • generally
  • in the context of information society services (e.g., a commercial website) only if processing is based on consent
What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 17 December 2024

  • consent must be given or authorized by the parent/ guardian of the minor
  • other, see above
{{ $store.state.loadingScreen.message }} ...